Results 1  10
of
23
On ideal lattices and learning with errors over rings
 In Proc. of EUROCRYPT, volume 6110 of LNCS
, 2010
"... The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worstcase lattice problems, and in recent years it has served as the foundation for a pleth ..."
Abstract

Cited by 39 (7 self)
 Add to MetaCart
The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worstcase lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for latticebased hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ringLWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ringLWE distribution is pseudorandom, assuming that worstcase problems on ideal lattices are hard for polynomialtime quantum algorithms. Applications include the first truly practical latticebased publickey cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ringLWE. 1
Fully homomorphic encryption without modulus switching from classical GapSVP
 In Advances in Cryptology  Crypto 2012, volume 7417 of Lecture
"... We present a new tensoring technique for LWEbased fully homomorphic encryption. While in all previous works, the ciphertext noise grows quadratically (B → B 2 · poly(n)) with every multiplication (before “refreshing”), our noise only grows linearly (B → B · poly(n)). We use this technique to constr ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We present a new tensoring technique for LWEbased fully homomorphic encryption. While in all previous works, the ciphertext noise grows quadratically (B → B 2 · poly(n)) with every multiplication (before “refreshing”), our noise only grows linearly (B → B · poly(n)). We use this technique to construct a scaleinvariant fully homomorphic encryption scheme, whose properties only depend on the ratio between the modulus q and the initial noise level B, and not on their absolute values. Our scheme has a number of advantages over previous candidates: It uses the same modulus throughout the evaluation process (no need for “modulus switching”), and this modulus can take arbitrary form. In addition, security can be classically reduced from the worstcase hardness of the GapSVP problem (with quasipolynomial approximation factor), whereas previous constructions could only exhibit a quantum reduction from GapSVP. Fully homomorphic encryption has been the focus of extensive study since the first candidate scheme was introduced by Gentry [Gen09b]. In a nutshell, fully homomorphic encryption allows to
Pseudorandom Functions and Lattices
, 2011
"... We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arith ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arithmetic or boolean circuits (e.g., in NC 1 or even TC 0). In addition, they are the first lowdepth PRFs that have no known attack by efficient quantum algorithms. Central to our results is a new “derandomization ” technique for the learning with errors (LWE) problem which, in effect, generates the error terms deterministically. 1 Introduction and Main Results The past few years have seen significant progress in constructing publickey, identitybased, and homomorphic cryptographic schemes using lattices, e.g., [Reg05, PW08, GPV08, Gen09, CHKP10, ABB10a] and many more. Part of their appeal stems from provable worstcase hardness guarantees (starting with the seminal work of Ajtai [Ajt96]), good asymptotic efficiency and parallelism, and apparent resistance to quantum
Lattice Signatures Without Trapdoors
"... We provide an alternative method for constructing latticebased digital signatures which does not use the “hashandsign” methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worstcase hardness of the Õ(n ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
We provide an alternative method for constructing latticebased digital signatures which does not use the “hashandsign” methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worstcase hardness of the Õ(n1.5)SIVP problem in general lattices. The secret key, public key, and the signature size of our scheme are smaller than in all previous instantiations of the hashandsign signature, and our signing algorithm is also quite simple, requiring just a few matrixvector multiplications and rejection samplings. We then also show that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem. Our construction naturally transfers to the ring setting, where the size of the public and secret keys can be significantly shrunk, which results in the most practical todate provably secure signature scheme based on lattices.
How to garble arithmetic circuits
 In Symposium on Foundations of Computer Science (FOCS ’11
, 2011
"... Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled circuit construction is a central tool for constantround secure computation and has several other applications. Motivated by these applications, we suggest an efficient arithmetic variant of Yao’s original construction. Our construction transforms an arithmetic circuit C: Zn → Zm over integers from a bounded (but possibly exponential) range into a garbled circuit Ĉ along with n affine functions Li: Z → Zk such that Ĉ together with the n integer vectors Li(xi) reveal C(x) and no additional information about x. The security of our construction relies on the intractability of the learning with errors (LWE) problem. 1
Faster Gaussian lattice sampling using lazy floatingpoint arithmetic. Full version of the ASIACRYPT ’12 article
"... Abstract. Many lattice cryptographic primitives require an efficient algorithm to sample lattice points according to some Gaussian distribution. All algorithms known for this task require longinteger arithmetic at some point, which may be problematic in practice. We study how much lattice sampling ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. Many lattice cryptographic primitives require an efficient algorithm to sample lattice points according to some Gaussian distribution. All algorithms known for this task require longinteger arithmetic at some point, which may be problematic in practice. We study how much lattice sampling can be sped up using floatingpoint arithmetic. First, we show that a direct floatingpoint implementation of these algorithms does not give any asymptotic speedup: the floatingpoint precision needs to be greater than the security parameter, leading to an overall complexity Õ(n 3) where n is the lattice dimension. However, we introduce a laziness technique that can significantly speed up these algorithms. Namely, in certain cases such as NTRUSign lattices, laziness can decrease the complexity to Õ(n2) or even Õ(n). Furthermore, our analysis is practical: for typical parameters, most of the floatingpoint operations only require the doubleprecision IEEE standard. 1
Practical latticebased cryptography: A signature scheme for embedded systems
 of LNCS
, 2012
"... Abstract. Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a lar ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number of schemes have to be replaced with alternatives. In this work we present such an alternative – a signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 12000 and 2000 bits long, while the signature size is approximately 9000 bits for a security level of around 100 bits. The implementation results on reconfigurable hardware (Spartan/Virtex 6) are very promising and show that the scheme is scalable, has low area consumption, and even outperforms some classical schemes.
IdentityBased (Lossy) Trapdoor Functions and Applications
, 2011
"... We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many functionalities previously known only in the publickey setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.
Circular and KDM security for identitybased encryption
 In Public Key Cryptography
, 2012
"... We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the se ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the secret keys, and arises in natural usage scenarios for IBE. We construct an IBE system that is circular secure for affine functions of users ’ secret keys, based on the learning with errors (LWE) problem (and hence on worstcase lattice problems). The scheme is secure in the standard model, under a natural extension of a selectiveidentity attack. Our three main technical contributions are (1) showing the circular/KDMsecurity of a “dual”style LWE publickey cryptosystem, (2) proving the hardness of a version of the “extended LWE ” problem due to O’Neill, Peikert and Waters (CRYPTO’11), and (3) building an IBE scheme around the dualstyle system using a novel latticebased “allbutd ” trapdoor function. 1
WorstCase to AverageCase Reductions for Module Lattices
"... Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. However, this change of hardness assumptions comes along with a possible security weakening: SIS and LWE are known to be at least as hard as standard (worstcase) problems on euclidean lattices, whereas RingSIS and RingLWE are only known to be as hard as their restrictions to special classes of ideal lattices, corresponding to ideals of some polynomial rings. In this work, we define the ModuleSIS and ModuleLWE problems, which bridge SIS with RingSIS, and LWE with RingLWE, respectively. We prove that these averagecase problems are at least as hard as standard lattice problems restricted to module lattices (which themselves generalize arbitrary and ideal lattices). As these new problems enlarge the toolbox of the latticebased cryptographer, they could prove useful for designing new schemes. Importantly, the worstcase to averagecase reductions for the module problems are (qualitatively) sharp, in the sense that there exist converse reductions. This property is not known to hold in the context of RingSIS/RingLWE: Ideal lattice problems could reveal easy without impacting the hardness of RingSIS/RingLWE. 1